It appears the source of a recent zero-day exploit was Microsoft's program to prevent zero-day exploits. Why is Cringely not surprised?

InfoWorld|Mar 19, 2012

Some words just seem to go together: "bread" and "butter"; "trial" and "error"; "Microsoft" and "security breach." The MS12-020 Remote Desktop Protocol vulnerability revealed last week shows once again that when it comes to data security, Microsoft is its own worst enemy and any "secure" system can be compromised.

As Computerworld's Gregg Keizer reports, the proof-of-concept RDP exploit was developed by Italian security wonk Luigi Auriemma last May. He passed it on to HP's bug bounty program, aka the Zero Day Initiative, in August. HP's ZDI passed Auriemma's code to Microsoft, which shared it with its 79 antivirus security partners in its Microsoft Active Protections Program (MAPP). That list includes the biggest names in computer security, as well as some lesser-known European and Asian firms. Somewhere along the line that code escaped from the lab and is now in the wild, infecting unsuspecting citizens and creating an army of flesh-eating zombies.

Last week Auriemma found the exploit code he'd created on a Chinese website, along with telltale signs that proved it was the same code he had written and that this code had been passed on to Microsoft before being leaked.

Now we have three key suspects: Mr. Ballmer in the library with the candlestick, Ms. Whitman in the conservatory with the rope, or Premier Wen Jiabao in the lotus garden with the rainbow sword.

Microsoft is pointing the finger at its MAPP partners, and it's probably right, given how easily Symantec was pwned by Anonymous for its source code last year. I'm not saying Symantec is the leaker (though that's the first place I'd look, simply because of the hack) or that Anonymous is the leakee. If it were the Anons, you'd think they'd be crowing their heads off about that right about now.

Still, you wouldn't have to be a hacking mastermind to pull this off. A little social engineering to gain access to an email list, a quick search of the inbox for a message containing the log-on and password to the MAPP program -- boom, you're in. Then post the code on a hacker-friendly forum and wait for the walls to come tumbling down.